A pirated app called Happy Daily English beat Apple's App Store security review. Expert Michael Cobb explains how it works and what security teams can do about it.

Palo Alto Networks research revealed that a pirated iOS app was able to bypass Apple's App Store security review. How did this pirated app fool the security review? And what concerns, if any, should this give enterprises about the validity of app store approvals?

The objective of Apple's App Review is to keep its iOS, Mac and tvOS app stores free from apps that are malicious, defective, dangerous, offensive or that infringe upon any of Apple's App Store Review Guidelines. The reviews play an important role in safeguarding the privacy and security of iOS users. Every app and every update has to go through the review process, and it has been mostly successful at keeping malicious apps out of Apple's App Stores. There have been cases, though, where a developer has managed to slip inappropriate code through the code review. Find and Call was the first truly malicious app to pass through Apple's approval process back in 2012, while XcodeGhost and InstaAgent are two more recent examples.

Malware writers are always looking for new evasion techniques to prevent their code from being detected by antivirus software and code reviews, or from being analyzed when run in a sandbox environment. Sandbox and human activity recognition, as well as delayed execution, are just some of the tactics used to hide a malware's true functionality, allowing it to pass inspection. Researchers at Palo Alto Networks recently discovered an iOS app called Happy Daily English that fooled the Apple review process by using an ingenious method to hide its real purpose from reviewers.

The authors of Happy Daily English used geolocation to hide the true nature of their pirated app. Yes, it performs differently for users in different physical locations on earth. When users outside of China install what Palo Alto Networks have dubbed ZergHelper, it acts as an English language study app. However, when accessed from China, its malicious features appear, which include directly installing free, and, most likely, pirated versions of legitimate apps and games. If the App Store reviewers weren't located in mainland China, they would only have seen the legitimate app.

As there is no explicit malicious functionality in this pirated app, Palo Alto Networks only classified it as riskware, but it still introduces potential security risks to iOS device users. It abuses enterprise and personal certificates to sign and distribute apps, and the security of the apps it installs can't be ensured. It may also have the ability, now or in the future, to harvest account information; its use of the programming language Lua could be an attempt by the author to extend its capabilities via dynamic code loading. This is a legitimate technique misused by malware to download additional and malicious code from the internet to circumvent offline analysis, and, in this case, bypass Apple's mandated review of any updates. Overall, its code is very complex and incorporates questionable techniques that could be used by other malware to attack the iOS ecosystem.

Happy Daily English has been removed from the App Store, but Apple and other app stores will have to implement new methods to catch other malicious pirated apps that try to use geolocation to get through a review process. Also, additional checks will have to be made on apps that use software development kits providing JavaScript, Lua or other scripting languages, in case they are trying to use dynamic code loading to implement malicious functionality. Anyone who has installed this pirated app should remove it, as its code is too sophisticated to purely provide a conduit to free apps and may be the precursor to more malicious actions.

Join the conversation

2 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.